D-Link DIR-615 Command Injection Vulnerability in URL Filter Component

A command injection vulnerability has been identified in the D-Link DIR-615 router running firmware version 4.10. This vulnerability resides in the URL Filter component, specifically within the '/set_temp_nodes.php' file. The issue arises because the firmware does not properly sanitize user input in the 'URL' field when creating new URL blocking rules. As a result, an authenticated attacker can inject shell metacharacters, leading to the execution of arbitrary system commands with root privileges. The injected command is first stored in a temporary session node, then saved to the device's configuration, and executed when the firewall rules are updated. This vulnerability can be exploited remotely and has been made public.

Impact

Exploitation of this vulnerability allows for unauthorized command execution with root privileges on the affected device.

Reproduction

To reproduce this vulnerability, an authenticated user can access the URL Filter component of the D-Link DIR-615 router's firmware version 4.10. By injecting shell metacharacters into the 'URL' field while creating a new URL blocking rule, the malicious input can be exploited to execute arbitrary commands on the router with root privileges. The injected command is executed when the firewall rules are regenerated.